npm - chain-audit - Versions diffs - 0.6.2 → 0.6.5 - Mend

chain-audit 0.6.2 → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -5,7 +5,10 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node.js Version](https://img.shields.io/node/v/chain-audit.svg)](https://nodejs.org)
-**Fast, zero-dependency CLI to detect supply chain attacks in `node_modules`.**
+**Zero-dependency heuristic scanner CLI to detect supply chain attacks in `node_modules`.**
+> **Disclaimer:** chain-audit is a **heuristic scanner** that searches for suspicious patterns in code. It does **not** detect 100% confirmed attacks, but rather flags potentially suspicious behavior that requires **human analysis**. The tool may produce **false positives** (flagging legitimate code as suspicious) and **false negatives** (missing real attacks). It's up to you to review and determine whether findings are actually suspicious or legitimate. Always investigate findings before taking action.
+> Licensed under **MIT License**, provided "AS IS" without warranty of any kind.
 ---
@@ -15,14 +18,17 @@
 |---------|-------------|-----------|
 | Detects known CVEs | ❌ | ✅ |
 | Detects malicious install scripts | ✅ | ❌ |
-| Detects typosquatting | ✅ | ❌ |
-| Detects extraneous packages | ✅ | ❌ |
-| Detects obfuscated code | ✅ | ❌ |
+| Detects network access in scripts | ✅ | ❌ |
+| Detects env exfiltration attempts | ✅ | ❌ |
+| Detects executable files | ✅ | ❌ |
+| Detects native binaries | ✅ | ❌ |
+| Detects corrupted package.json | ✅ | ❌ |
+| Detects metadata anomalies | ✅ | ❌ |
 | Zero dependencies | ✅ | N/A |
 | Works offline | ✅ | ❌ |
-| SARIF output (GitHub integration) | ✅ | ❌ |
+| SARIF output (GitHub integration) [experimental] | ✅ | ❌ |
-**Use both together** – `npm audit` for known vulnerabilities, `chain-audit` for detecting novel attacks.
+**Use both together** – `npm audit` for known vulnerabilities, `chain-audit` (heuristic scanner) for detecting novel attacks and suspicious patterns.
 ## Installation
@@ -69,7 +75,10 @@ bun build src/index.js --compile --outfile chain-audit
 ## Quick Start
 ```bash
-# Scan current project
+# Recommended: Thorough scan with detailed analysis
+chain-audit --scan-code --detailed
+# Scan current project (basic scan)
 chain-audit
 # Fail CI on high severity issues
@@ -84,7 +93,7 @@ chain-audit --severity critical,high --fail-on high
 # JSON output for processing
 chain-audit --json
-# SARIF output for GitHub Code Scanning
+# SARIF output for GitHub Code Scanning (experimental)
 chain-audit --sarif > results.sarif
 # Deep code analysis (slower but more thorough)
@@ -97,7 +106,7 @@ chain-audit --detailed --scan-code
 chain-audit --detailed --json --scan-code
 # Ignore specific packages and rules
-chain-audit --ignore-packages "@types/*" --ignore-rules native_binary
+chain-audit --ignore-packages "@types/*" --ignore-rules native_binary,executable_files
 # Additional structure integrity checks
 chain-audit --verify-integrity --fail-on high
@@ -120,7 +129,7 @@ chain-audit --check-typosquatting
 | `-l, --lock <path>` | Path to lockfile (auto-detects npm, yarn, pnpm, bun) |
 | `-c, --config <path>` | Path to config file (auto-detects if not specified) |
 | `--json` | Output as JSON |
-| `--sarif` | Output as SARIF (for GitHub Code Scanning) |
+| `--sarif` | Output as SARIF (for GitHub Code Scanning) [experimental] |
 | `-s, --severity <levels>` | Show only specified severity levels (comma-separated, e.g., `critical,high`) |
 | `--fail-on <level>` | Exit 1 if max severity >= level |
 | `--scan-code` | Deep scan JS files for suspicious patterns |
@@ -131,7 +140,7 @@ chain-audit --check-typosquatting
 | `-f, --force` | Force overwrite existing config file (use with `--init`) |
 | **Filtering Options** | |
 | `-I, --ignore-packages <list>` | Ignore packages (comma-separated, supports globs, e.g., `@types/*,lodash`) |
-| `-R, --ignore-rules <list>` | Ignore rule IDs (comma-separated, e.g., `native_binary,install_script`) |
+| `-R, --ignore-rules <list>` | Ignore rule IDs (comma-separated, e.g., `native_binary,executable_files,install_script`) |
 | `-T, --trust-packages <list>` | Trust packages (comma-separated, supports globs, e.g., `esbuild,@swc/*`) |
 | **Scan Options** | |
 | `--max-file-size <bytes>` | Max file size to scan (default: 1048576 = 1MB) |
@@ -145,11 +154,11 @@ chain-audit --check-typosquatting
 | Level | Description | Example |
 |-------|-------------|---------|
-| `critical` | Highly likely malicious | Obfuscated code with network access, extraneous packages |
+| `critical` | Highly likely malicious | Obfuscated code with network access, version mismatch |
 | `high` | Strong attack indicators | Suspicious install scripts with network/exec, typosquatting |
 | `medium` | Warrants investigation | Install scripts, shell execution patterns |
 | `low` | Informational | Native binaries, minimal metadata |
-| `info` | Metadata only | Packages with install scripts that match trusted patterns (if configured) |
+| `info` | Metadata only | Packages with install scripts that are in trusted packages list (if configured) |
 ### Filtering by Severity
@@ -169,12 +178,13 @@ chain-audit --severity low,medium
 chain-audit --severity critical,high --fail-on high
 ```
-Issues will be displayed in the order they are found, grouped by the severity levels you specified.
+Issues will be displayed sorted by severity (highest first), then by package name, grouped by severity level. When using `--severity`, only the specified severity levels are shown.
 ## Example Output
 ```
-chain-audit v0.6.2
+chain-audit v0.6.5
+Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules
 ────────────────────────────────────────────────────────────
 node_modules: /path/to/project/node_modules
@@ -186,9 +196,9 @@ Found 3 potential issue(s):
 ── CRITICAL ──
   ● evil-package@1.0.0
-    reason: extraneous_package
-    detail: Package exists in node_modules but is missing from lockfile
-    fix: Run `npm ci` to reinstall from lockfile
+    reason: version_mismatch
+    detail: Installed version 1.0.0 does not match lockfile version 0.9.5
+    fix: Run `npm ci` to reinstall correct version
 ── HIGH ──
   ● suspic-lib@2.0.0
@@ -198,9 +208,9 @@ Found 3 potential issue(s):
 ── MEDIUM ──
   ● some-addon@1.2.3
-    reason: install_script
-    detail: Has postinstall script: node-gyp rebuild
-    fix: Review the script to ensure it performs only expected operations
+    reason: extraneous_package
+    detail: Package exists in node_modules but is missing from lockfile
+    fix: Run `npm ci` to reinstall from lockfile
 ────────────────────────────────────────────────────────────
 Summary:
@@ -223,10 +233,10 @@ When `--detailed` is enabled, each finding includes:
 - **Matched patterns** (regex) that triggered the detection
 - **Package metadata**: author, repository URL, license, homepage, full file path
 - **Trust assessment**: trust score (0-100) and trust level (low/medium/high)
-- **Evidence**: file paths, line numbers, column numbers, matched text
+- **Evidence**: file paths, line numbers, column numbers (in matches array), matched text
 - **False positive hints**: guidance on legitimate uses that might trigger the detection
-- **Verification steps**: actionable steps for manual investigation
-- **Risk assessment**: for critical findings, notes about known attack patterns (e.g., Shai-Hulud 2.0)
+- **Verification steps**: actionable steps for manual investigation (available for some findings like typosquatting)
+- **Risk assessment**: for high/critical findings, notes about known attack patterns
 ### Trust Score Calculation
@@ -234,17 +244,17 @@ The trust score (0-100) is calculated based on multiple factors:
 | Factor | Points | Description |
 |--------|--------|-------------|
-| **Trusted scope** | +40 | Package is from a scope listed in `trustedPackages` config (if configured) |
-| **Known legitimate** | +50 | Package is in the `trustedPackages` config list (if configured) |
+| **Trusted scope** | +40 | Package is from a scope in the internal trusted scopes list (currently empty by default) |
+| **Known legitimate** | +50 | Package is in the internal known legitimate packages list (currently empty by default) |
 | **Has repository** | +20 | Package has a repository URL in package.json |
 | **Has homepage** | +10 | Package has a homepage URL |
 | **Has author** | +10 | Package has author information |
 | **Has license** | +10 | Package has a license field |
-**Note:** By default, no packages are whitelisted. All packages are checked with equal severity. You can configure `trustedPackages` in `.chainauditrc.json` if you need to reduce false positives for specific packages.
+**Note:** Trust score is calculated independently from the `trustedPackages` config option. The `trustedPackages` config option affects severity levels for install scripts, but does not influence the trust score calculation. By default, no packages are whitelisted in the trust score calculation. All packages are checked with equal severity.
 **Trust Levels:**
-- **High (70-100)**: Package is likely legitimate (e.g., configured as trusted with repository)
+- **High (70-100)**: Package is likely legitimate (e.g., has repository, homepage, author, and license)
 - **Medium (40-69)**: Package has some trust indicators but needs verification
 - **Low (0-39)**: Package lacks trust indicators, warrants closer investigation
@@ -306,14 +316,16 @@ Alternatively, you can manually create a config file in your project root. Suppo
   ],
   "trustedPatterns": {
     "node-gyp rebuild": true,
-    "prebuild-install": true
+    "prebuild-install": true,
+    "node-pre-gyp": true
   },
-  "scanCode": false,
+  "scanCode": true,
   "checkTyposquatting": false,
+  "checkLockfile": false,
   "failOn": "high",
   "severity": ["critical", "high"],
   "format": "text",
-  "verbose": false,
+  "verbose": true,
   "maxFileSizeForCodeScan": 1048576,
   "maxNestedDepth": 10,
   "maxFilesPerPackage": 0,
@@ -329,12 +341,13 @@ Alternatively, you can manually create a config file in your project root. Suppo
 | `ignoredRules` | `string[]` | `[]` | Rule IDs to ignore |
 | `trustedPackages` | `string[]` | `[]` | Packages with reduced severity for install scripts (empty by default - all packages are checked) |
 | `trustedPatterns` | `object` | `{node-gyp rebuild: true, ...}` | Install script patterns considered safe |
-| `scanCode` | `boolean` | `false` | Enable deep code scanning by default |
+| `scanCode` | `boolean` | `false` | Enable deep code scanning (default: `false` without config, `true` when generated with `--init`) |
 | `checkTyposquatting` | `boolean` | `false` | Enable typosquatting detection (disabled by default to reduce false positives) |
+| `checkLockfile` | `boolean` | `false` | Enable lockfile integrity checks (disabled by default due to possible false positives) |
 | `failOn` | `string` | `null` | Default fail threshold (`info\|low\|medium\|high\|critical`) |
 | `severity` | `string[]` | `null` | Show only specified severity levels (e.g., `["critical", "high"]`) |
-| `format` | `string` | `"text"` | Output format: `text`, `json`, or `sarif` |
-| `verbose` | `boolean` | `false` | Show detailed analysis with code snippets and trust scores (Note: CLI flag is `--detailed`, but config uses `verbose` for consistency) |
+| `format` | `string` | `"text"` | Output format: `text`, `json`, or `sarif` (sarif is experimental) |
+| `verbose` | `boolean` | `false` | Show detailed analysis with code snippets and trust scores (default: `false` without config, `true` when generated with `--init`). Note: CLI flag is `--detailed`, but config uses `verbose` for consistency |
 | `maxFileSizeForCodeScan` | `number` | `1048576` | Max file size (bytes) to scan for code patterns |
 | `maxNestedDepth` | `number` | `10` | Max depth to traverse nested node_modules |
 | `maxFilesPerPackage` | `number` | `0` | Max JS files to scan per package (0 = unlimited) |
@@ -372,7 +385,7 @@ jobs:
         run: npm rebuild
 ```
-### With SARIF Upload (GitHub Code Scanning)
+### With SARIF Upload (GitHub Code Scanning) [experimental]
 ```yaml
 name: Security Scan
@@ -429,7 +442,7 @@ jobs:
 - `node-modules-path` (default: `./node_modules`) – Path to node_modules directory
 - `fail-on` (default: `high`) – Severity threshold to fail on (info|low|medium|high|critical)
 - `scan-code` (default: `false`) – Enable deep code scanning (slower)
-- `upload-sarif` (default: `true`) – Upload SARIF to GitHub Code Scanning
+- `upload-sarif` (default: `true`) – Upload SARIF to GitHub Code Scanning [experimental]
 The reusable workflow automatically uses `--ignore-scripts` for safe installation.
@@ -448,7 +461,7 @@ The reusable workflow automatically uses `--ignore-scripts` for safe installatio
 ### CI/CD Security Best Practices
-Supply chain attacks like [Shai-Hulud 2.0](https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack) exploited misconfigured GitHub Actions. **Protect your CI/CD:**
+Supply chain attacks have exploited misconfigured GitHub Actions. **Protect your CI/CD:**
 ```yaml
 # DANGEROUS - Don't use pull_request_target with checkout
@@ -479,44 +492,48 @@ chain-audit automatically detects and parses:
 | Lockfile | Package Manager |
 |----------|-----------------|
-| `package-lock.json` | npm v2/v3 |
-| `npm-shrinkwrap.json` | npm |
+| `package-lock.json` | npm v2/v3 (v1 supported as fallback) |
+| `npm-shrinkwrap.json` | npm (v1/v2/v3) |
 | `yarn.lock` | Yarn Classic & Berry |
 | `pnpm-lock.yaml` | pnpm |
-| `bun.lock` | Bun |
+| `bun.lock` | Bun (text format) |
+| `bun.lockb` | Bun (binary format, not supported - use `bun install --save-text-lockfile` to generate text format) |
 ## Detection Rules
 ### Critical Severity
-- **extraneous_package** – Package in node_modules not in lockfile
-- **version_mismatch** – Installed version differs from lockfile
+- **version_mismatch** – Installed version differs from lockfile (requires `--check-lockfile`)
+- **pipe_to_shell** – Script pipes content to shell (`| bash`)
+- **potential_env_exfiltration** – Env access + network in install script
+### High Severity
 - **corrupted_package_json** – Package has malformed or unreadable package.json
+- **network_access_script** – Install script with curl/wget/fetch patterns (high for install scripts, low for trusted install scripts, medium/low for others)
+- **potential_typosquat** – Package name similar to popular package (requires `--check-typosquatting`)
+- **suspicious_name_pattern** – Package name uses character substitution (l33t speak) or prefix patterns (requires `--check-typosquatting`) (high for character substitution, medium for prefix patterns)
+- **eval_usage** – Code uses eval() or new Function() (requires `--scan-code`)
+- **sensitive_path_access** – Code accesses ~/.ssh, ~/.aws, etc. (requires `--scan-code`)
+- **shell_execution** – Script executes shell commands (high for install scripts, medium/low for others)
 ### High Severity (with `--verify-integrity`)
 - **package_name_mismatch** – Package name in package.json doesn't match expected from path
 - **suspicious_resolved_url** – Package resolved from local file or suspicious URL
-- **pipe_to_shell** – Script pipes content to shell (`| bash`)
-- **potential_env_exfiltration** – Env access + network in install script
-- **env_with_network** – Code accesses env vars and has network/exec capabilities
-- **obfuscated_code** – Base64/hex encoded strings, char code arrays
-### High Severity
-- **network_access_script** – Install script with curl/wget/fetch patterns
-- **potential_typosquat** – Package name similar to popular package (requires `--check-typosquatting`)
-- **suspicious_name_pattern** – Package name uses character substitution (l33t speak) (requires `--check-typosquatting`)
-- **eval_usage** – Code uses eval() or new Function()
-- **sensitive_path_access** – Code accesses ~/.ssh, ~/.aws, etc.
-- **shell_execution** – Script executes shell commands
+### Critical Severity (with `--scan-code`)
+- **obfuscated_code** – Base64/hex encoded strings, char code arrays
+- **env_with_network** – Code accesses env vars and has network/exec capabilities (critical when network access is present, medium for install scripts without network)
 ### Medium Severity
-- **install_script** – Has preinstall/install/postinstall/prepare script
-- **code_execution** – Script runs code via node -e, python -c, etc.
+- **extraneous_package** – Package in node_modules not in lockfile (requires `--check-lockfile`)
+- **install_script** – Has preinstall/install/postinstall script (medium, or info/low for trusted packages/patterns)
+- **code_execution** – Script runs code via node -e, python -c, etc. (high for install scripts, medium/low for others)
 - **child_process_usage** – Code uses child_process module
 - **node_network_access** – Code uses Node.js network APIs (fetch, https, axios)
 - **git_operation_install** – Install script performs git operations
+- **executable_files** – Contains executable files (shell scripts, etc.) - high if outside bin/, low if in bin/
 ### Low/Info Severity
-- **native_binary** – Contains .node, .so, .dll, .dylib files
+- **native_binary** – Contains native module binaries (.node, .so, .dylib files)
 - **no_repository** – No repository URL in package.json
 - **minimal_metadata** – Very short/missing description
@@ -525,11 +542,13 @@ chain-audit automatically detects and parses:
 ```javascript
 const { run } = require('chain-audit');
-const result = await run(['node', 'script.js', '--json', '--fail-on', 'high']);
+const result = run(['node', 'script.js', '--json', '--fail-on', 'high']);
 console.log(result.exitCode);  // 0 or 1
-console.log(result.issues);    // Array of issues found
-console.log(result.summary);   // { counts: {...}, maxSeverity: 'high' }
+console.log(result.issues);    // Array of all issues found (not filtered by --severity)
+console.log(result.summary);   // { counts: {...}, maxSeverity: 'high' } (calculated from filtered issues if --severity is used)
+// Note: run() also outputs to console.log() by default. Use --json format to get structured output.
 ```
 ## Best Practices
@@ -565,7 +584,7 @@ npm rebuild
 3. **Run in sandboxed CI** – Isolate potentially malicious code
 4. **Combine with npm audit** – chain-audit detects different threats
 5. **Review all findings** – Some may be false positives
-6. **Use `--scan-code` periodically** – More thorough but slower
+6. **Recommended: Use `--scan-code --detailed` for thorough analysis** – Deep code scanning with detailed evidence (slower but most comprehensive)
 7. **Use `--detailed` for manual investigation** – Get code snippets and trust assessment to distinguish false positives (`--verbose` is an alias)
 8. **Keep registry secure** – Use private registry or npm audit signatures
 9. **All packages are checked equally** – No packages are whitelisted by default. Even popular packages like `sharp`, `esbuild`, or `@babel/*` are checked for malicious patterns. This ensures that compromised packages are detected regardless of their reputation.
@@ -598,7 +617,13 @@ Hubert Kasperek
 ---
-**Disclaimer:** chain-audit is a heuristic scanner created for **educational and research purposes**, provided "AS IS" without warranty of any kind. It may produce false positives and **cannot catch all attacks**.
+**Disclaimer:** chain-audit is a **heuristic scanner** created for **educational and research purposes**, licensed under **MIT License**, provided "AS IS" without warranty of any kind. The author makes no guarantees about the tool's accuracy, completeness, or reliability.
+**Important limitations:**
+- chain-audit does **not** detect 100% confirmed attacks – it scans code for suspicious patterns
+- It may produce **many false positives** – findings require human analysis to determine if they're actually suspicious
+- It **cannot catch all attacks** – sophisticated or novel attack patterns may be missed
+- The tool flags potentially suspicious behavior, but **you are responsible** for reviewing and validating all findings
 **The author takes no responsibility for:**
 - False positives or false negatives in detection

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "chain-audit",
-  "version": "0.6.2",
-  "description": "Fast, zero-dependency CLI to detect supply chain attacks in node_modules. Scans for malicious install scripts, typosquatting, extraneous packages, and suspicious code patterns.",
+  "version": "0.6.5",
+  "description": "Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules. Scans for malicious install scripts, typosquatting, extraneous packages, lockfile integrity, obfuscated code, executable files, and suspicious code patterns.",
   "main": "src/index.js",
   "bin": {
     "chain-audit": "src/index.js"
@@ -31,17 +31,12 @@
   "keywords": [
     "security",
     "supply-chain",
-    "supply-chain-attack",
-    "node-modules",
-    "audit",
-    "malware",
     "dependency",
-    "npm-audit",
-    "postinstall",
-    "typosquatting",
-    "ci",
-    "github-actions",
-    "sarif"
+    "heuristic-scanner",
+    "lockfile",
+    "obfuscation",
+    "static-analysis",
+    "ci"
   ],
   "author": "Hubert Kasperek",
   "license": "MIT",

package/src/analyzer.js CHANGED Viewed

@@ -91,7 +91,7 @@ const CHILD_PROCESS_PATTERNS = [
 /**
  * Node.js network/HTTP patterns (for code scanning)
- * These are used for data exfiltration in attacks like Shai-Hulud 2.0
+ * These are used for data exfiltration in supply chain attacks
  */
 const NODE_NETWORK_PATTERNS = [
   /\bfetch\s*\(/,
@@ -164,9 +164,10 @@ const OBFUSCATION_PATTERNS = [
 ];
 /**
- * Native binary extensions
+ * Native binary extensions (legitimate native modules)
+ * Note: .exe and .dll are checked separately as executable_files (high severity)
  */
-const NATIVE_EXTENSIONS = ['.node', '.so', '.dll', '.dylib', '.exe'];
+const NATIVE_EXTENSIONS = ['.node', '.so', '.dylib'];
 /**
  * Git/version control patterns (lower risk but worth noting)
@@ -244,6 +245,9 @@ function analyzePackage(pkg, lockIndex, config = {}) {
   // 4. Check for native binaries
   checkNativeBinaries(pkg, issues, verbose);
+  // 4.5. Check for executable files (shell scripts, etc.) - potential supply chain attack
+  checkExecutableFiles(pkg, issues, verbose, config);
   // 5. Check for typosquatting (optional, enabled with --check-typosquatting)
   if (config.checkTyposquatting) {
     checkTyposquatting(pkg, issues, verbose);
@@ -941,7 +945,7 @@ function analyzeScriptContent(script, scriptName, isInstall, isTrusted, issues,
             'Legitimate uses: sending analytics with env-based config',
             'Check if sensitive env vars (API keys, tokens) could be accessed',
           ],
-          riskAssessment: 'CRITICAL - Matches Shai-Hulud 2.0 attack pattern',
+          riskAssessment: 'CRITICAL - Matches known credential exfiltration attack patterns',
         };
       }
@@ -1027,6 +1031,177 @@ function findNativeArtifacts(pkgDir, maxDepth = 3) {
   return found;
 }
+/**
+ * Check for executable files (shell scripts, etc.) - potential supply chain attack
+ *
+ * NOTE: All packages are checked. Users can ignore this rule for specific packages
+ * using --ignore-rules executable_files or by configuring ignoredRules in .chainauditrc.json
+ */
+function checkExecutableFiles(pkg, issues, verbose = false, config = {}) {
+  // Check if this rule is ignored
+  if (config.ignoredRules && config.ignoredRules.includes('executable_files')) {
+    return;
+  }
+  const found = findExecutableFiles(pkg.dir, 5);
+  if (found.length > 0) {
+    // Check if files are in bin/ directory (expected) or root/other locations (suspicious)
+    const binFiles = found.filter(f => /^bin\//i.test(path.relative(pkg.dir, f)));
+    const suspiciousFiles = found.filter(f => !/^bin\//i.test(path.relative(pkg.dir, f)));
+    // Determine severity:
+    // - HIGH: files outside bin/ (very suspicious - matches attack patterns)
+    // - LOW: all files in bin/ (less suspicious - some packages use shell scripts for installation)
+    const severity = suspiciousFiles.length > 0 ? 'high' : 'low';
+    const listed = found.slice(0, 5).map(p => {
+      const relPath = path.relative(pkg.dir, p);
+      return relPath;
+    }).join(', ');
+    const issue = {
+      severity: severity,
+      reason: 'executable_files',
+      detail: `Contains executable files (shell scripts, etc.): ${listed}${found.length > 5 ? `, +${found.length - 5} more` : ''}`,
+      recommendation: suspiciousFiles.length > 0
+        ? 'Executable files outside bin/ directory are suspicious and may indicate a supply chain attack. Review immediately.'
+        : 'Shell scripts in bin/ directory are less suspicious but should be reviewed for malicious content.',
+    };
+    if (verbose) {
+      issue.verbose = {
+        evidence: {
+          executableCount: found.length,
+          binFilesCount: binFiles.length,
+          suspiciousFilesCount: suspiciousFiles.length,
+          executableFiles: found.map(f => {
+            const relPath = path.relative(pkg.dir, f);
+            const isInBin = /^bin\//i.test(relPath);
+            return {
+              path: f,
+              relativePath: relPath,
+              filename: path.basename(f),
+              extension: path.extname(f),
+              isInBin: isInBin,
+              isSuspicious: !isInBin,
+            };
+          }),
+        },
+        falsePositiveHints: [
+          suspiciousFiles.length > 0 ? '⚠ Executable files outside bin/ are highly suspicious' : null,
+          'Shell scripts (.sh) in npm packages are unusual and should be reviewed',
+          'Check if executables are necessary for package functionality',
+          'Review executable content for malicious code (network access, credential exfiltration)',
+          binFiles.length > 0 && suspiciousFiles.length === 0 ? '✓ Shell scripts in bin/ are less suspicious (some packages use them for installation)' : null,
+          'To ignore this check for specific packages, use --ignore-rules executable_files',
+        ].filter(Boolean),
+        riskAssessment: suspiciousFiles.length > 0
+          ? 'HIGH - Executable files outside bin/ match supply chain attack patterns'
+          : 'LOW - Shell scripts in bin/ are less suspicious but should be reviewed',
+        attackPattern: 'Executable files (especially .sh scripts) in npm packages can be used for supply chain attacks',
+      };
+    }
+    issues.push(issue);
+  }
+}
+/**
+ * Find executable files in package (shell scripts, PowerShell, binaries, etc.)
+ * Note: .js files are scanned by code scanner, not flagged here
+ */
+function findExecutableFiles(pkgDir, maxDepth = 5) {
+  const found = [];
+  const stack = [{ dir: pkgDir, depth: 0 }];
+  // Executable file extensions - only real executables, not .js (those are scanned by code scanner)
+  const EXECUTABLE_EXTENSIONS = [
+    // Shell scripts
+    '.sh', '.bash', '.zsh', '.fish', '.csh', '.tcsh', '.ksh',
+    // PowerShell
+    '.ps1', '.psm1', '.psd1',
+    // Windows batch
+    '.bat', '.cmd', '.com',
+    // Binaries (executables)
+    '.exe', '.bin',
+    // Other scripts
+    '.py', '.pl', '.rb', '.php', '.r', '.lua',
+  ];
+  while (stack.length > 0) {
+    const { dir, depth } = stack.pop();
+    if (depth > maxDepth) continue;
+    let entries = [];
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      continue;
+    }
+    for (const entry of entries) {
+      // Skip common directories that shouldn't be checked
+      if (entry.name.startsWith('.') ||
+          entry.name === 'node_modules' ||
+          entry.name === '.git') {
+        continue;
+      }
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        stack.push({ dir: fullPath, depth: depth + 1 });
+      } else if (entry.isFile()) {
+        const ext = path.extname(entry.name).toLowerCase();
+        // Check by extension - only real executables, not .js files
+        // .js files are already scanned by code scanner
+        if (EXECUTABLE_EXTENSIONS.includes(ext)) {
+          found.push(fullPath);
+          continue;
+        }
+        // Check for files without extension that are executable
+        // Only flag if they have shebang (not just chmod +x, which can be accidental)
+        // Skip known text files (LICENSE, README, CHANGELOG, etc.)
+        if (ext === '') {
+          const filename = entry.name.toUpperCase();
+          const knownTextFiles = ['LICENSE', 'LICENCE', 'README', 'CHANGELOG', 'HISTORY', 'AUTHORS', 'CONTRIBUTORS', 'NOTICE', 'COPYING', 'INSTALL', 'MAKEFILE', 'MAKEFILE.IN'];
+          // Skip known text files
+          if (knownTextFiles.some(tf => filename === tf || filename.startsWith(tf + '.'))) {
+            continue;
+          }
+          // Check if file has execute permission AND shebang (not just chmod +x)
+          try {
+            const stat = fs.statSync(fullPath);
+            if ((stat.mode & 0o111) !== 0) {
+              // File is executable - check if it has shebang (real executable script)
+              try {
+                const content = fs.readFileSync(fullPath, 'utf8');
+                const firstLine = content.split('\n')[0];
+                // Only flag if it has shebang (#!/bin/bash, #!/usr/bin/env python, etc.)
+                if (/^#!/.test(firstLine)) {
+                  found.push(fullPath);
+                }
+              } catch {
+                // If we can't read content, skip (might be binary)
+                continue;
+              }
+            }
+          } catch {
+            // Skip files we can't check
+            continue;
+          }
+        }
+      }
+    }
+  }
+  return found;
+}
 /**
  * Trusted npm organizations/scopes (official packages, not typosquatting)
  *
@@ -1610,8 +1785,8 @@ function analyzeCode(pkg, config, issues, verbose = false) {
           // Check if "eval" is part of a longer word (not a function call)
           const matchText = patternMatch[0];
           const matchIndex = patternMatch.index;
-          const beforeMatch = content.slice(Math.max(0, matchIndex - 20), matchIndex);
-          const afterMatch = content.slice(matchIndex + matchText.length, matchIndex + matchText.length + 20);
+          const beforeMatch = content.slice(Math.max(0, matchIndex - 30), matchIndex);
+          const afterMatch = content.slice(matchIndex + matchText.length, matchIndex + matchText.length + 30);
           // Check if it's part of a longer identifier (e.g., "unevaluated", "evaluate", "evaluation")
           // Also check for common false positives like "unevaluatedProperties", "evaluateExpression", etc.
@@ -1622,6 +1797,17 @@ function analyzeCode(pkg, config, issues, verbose = false) {
             continue; // Skip - it's part of a variable/function name, not eval() call
           }
+          // Check if it's a method definition (async eval, function eval, const eval =, etc.)
+          // or method call on object (this.redis.eval, client.eval, etc.)
+          // These are NOT JavaScript eval() calls
+          const isMethodDefinition = /\b(async|function|const|let|var|class|static|get|set)\s+eval\s*\(/i.test(beforeMatch.slice(-20) + matchText);
+          const isMethodCall = /\.eval\s*\(/.test(beforeMatch.slice(-10) + matchText);
+          const isPropertyAccess = /\.eval\s*[=:]/.test(beforeMatch.slice(-10) + matchText + afterMatch.slice(0, 5));
+          if (isMethodDefinition || isMethodCall || isPropertyAccess) {
+            continue; // Skip - it's a method name (e.g., Redis eval, async eval method), not JavaScript eval()
+          }
           // Skip if it's in a test directory or test file (tests often use eval for mocking)
           const isTestFile = /(?:^|\/)(?:test|spec|__tests__|__mocks__)(?:\/|$)/i.test(relativePath) ||
                             /(?:^|\/)(?:test|spec)\.(js|mjs|cjs)$/i.test(relativePath);
@@ -1744,6 +1930,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
               codeSnippet: snippet?.snippet || null,
               lineNumber: snippet?.lineNumber || null,
               matchedText: snippet?.matchedText || null,
+              isMinified: snippet?.isMinified || false,
               falsePositiveHints: [
                 isTestFile ? '✓ This appears to be a test file - eval usage for mocking is common' : null,
                 isMinifiedOrBundled ? '✓ This appears to be a minified/bundled file - eval patterns may be false positives' : null,
@@ -1876,6 +2063,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
               codeSnippet: snippet?.snippet || null,
               lineNumber: snippet?.lineNumber || null,
               matchedText: snippet?.matchedText || null,
+              isMinified: snippet?.isMinified || false,
               falsePositiveHints: [
                 isBuildFile ? '✓ This appears to be a build file - child_process usage is common' : null,
                 'Build tools commonly use child_process (webpack, babel plugins)',
@@ -1944,6 +2132,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
               codeSnippet: snippet?.snippet || null,
               lineNumber: snippet?.lineNumber || null,
               matchedText: snippet?.matchedText || null,
+              isMinified: snippet?.isMinified || false,
               falsePositiveHints: [
                 'SSH/Git tools may legitimately access ~/.ssh',
                 'AWS SDK wrappers may check ~/.aws for config',
@@ -1958,7 +2147,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
         }
       }
-      // Check for Node.js network patterns (like Shai-Hulud 2.0 attack)
+      // Check for Node.js network patterns (common in supply chain attacks)
       // Skip if package is clearly an HTTP client library or network-related utility
       const isHttpClient = pkg && /^(axios|got|node-fetch|undici|ky|superagent|request|needle|phin|bent|httpie|type-check|xmlhttprequest)/i.test(pkg.name);
@@ -2032,6 +2221,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
                 codeSnippet: snippet?.snippet || null,
                 lineNumber: snippet?.lineNumber || null,
                 matchedText: snippet?.matchedText || null,
+                isMinified: snippet?.isMinified || false,
                 falsePositiveHints: [
                   isTestFile ? '✓ This appears to be a test file - network mocking is common' : null,
                   'HTTP client libraries (axios, got, fetch) are common',
@@ -2210,21 +2400,60 @@ function analyzeCode(pkg, config, issues, verbose = false) {
             }
           }
-          // Determine severity based on context
-          // Install scripts often legitimately use env + network (downloading binaries)
-          // But we still flag them - user should review, but with lower severity
+          // Analyze context: is env actually passed to network/exec, or just used locally?
+          // Use broader context for analysis (envContext was already defined earlier, but we need more context)
+          const broaderEnvContext = content.slice(Math.max(0, envMatchIndex - 150), Math.min(content.length, envMatchIndex + 300));
+          const envPassedToExec = /(?:env|process\.env).*[:=].*(?:spawn|exec|fork|child_process)/i.test(broaderEnvContext) ||
+                                  /(?:spawn|exec|fork).*\{[^}]*env/i.test(broaderEnvContext) ||
+                                  /(?:spawn|exec|fork).*\{[^}]*\.\.\.process\.env/i.test(broaderEnvContext);
+          // Check if env is used only for local config (less suspicious)
+          const envUsedLocally = /process\.env\.(?:NODE_ENV|DEBUG|CI|FORCE_COLOR|NO_COLOR|TZ|LANG|LC_|HOME|USER|PATH|SHELL|PWD|HADOOP_HOME|LIBC|FORMAT_START)/i.test(envContext);
+          // Check if it's just passing entire process.env to child_process (common pattern)
+          const passesFullEnv = /(?:env|process\.env).*[:=].*process\.env|\.\.\.process\.env/i.test(broaderEnvContext);
+          // Determine severity based on context - no package is trusted by default
+          // CRITICAL: If there's network access, always critical (most dangerous pattern)
+          // This is a known supply chain attack pattern: env + network + exec
           let severity = 'critical';
-          if (isInstallScriptFile) {
-            severity = 'medium'; // Install scripts are less suspicious, but still worth reviewing
+          // Only lower severity if there's NO network access (only child_process)
+          // If network is present, it's always critical - could be exfiltrating credentials
+          const hasNetwork = networkMatch || nodeNetworkMatch;
+          if (hasNetwork) {
+            // env + network + exec = CRITICAL (supply chain attack pattern)
+            severity = 'critical';
+          } else if (isInstallScriptFile) {
+            // Install scripts with env + child_process (no network) - medium
+            severity = 'medium';
+          } else if (envUsedLocally && !envPassedToExec && childProcessMatch) {
+            // If env is only used locally (like NODE_ENV) and only child_process (no network), lower severity
+            severity = 'medium';
+          } else if (passesFullEnv && childProcessMatch) {
+            // Passing full process.env to child_process is common pattern, but still review
+            severity = 'medium';
+          }
+          // Otherwise: env + child_process (unknown pattern) = critical
+          // Determine recommendation based on severity
+          let recommendation;
+          if (hasNetwork) {
+            recommendation = 'DANGER: This pattern (env + network + exec) matches known credential exfiltration attack patterns. Investigate immediately.';
+          } else if (isInstallScriptFile) {
+            recommendation = 'Install scripts often use env vars + child_process. Review to ensure it\'s legitimate and not exfiltrating data.';
+          } else if (severity === 'medium') {
+            recommendation = 'This pattern (env + child_process, no network) can be legitimate. Review to ensure env vars are not being exfiltrated through child processes.';
+          } else {
+            recommendation = 'DANGER: This pattern matches known credential exfiltration attack patterns. Investigate immediately.';
           }
           const issue = {
             severity: severity,
             reason: 'env_with_network',
             detail: `File "${relativePath}" accesses environment variables and has network/exec capabilities`,
-            recommendation: isInstallScriptFile
-              ? 'Install scripts often use env vars + network to download binaries. Review to ensure it\'s legitimate.'
-              : 'DANGER: This pattern matches credential exfiltration attacks like Shai-Hulud 2.0. Investigate immediately.',
+            recommendation: recommendation,
           };
           if (verbose) {
@@ -2233,6 +2462,9 @@ function analyzeCode(pkg, config, issues, verbose = false) {
               ? extractCodeSnippet(content, nodeNetworkMatch, 3)
               : (networkMatch ? extractCodeSnippet(content, networkMatch, 3) : null);
+            // If no network snippet but we have child_process, use that as exec capability
+            const execSnippet = networkSnippet || (childProcessMatch ? extractCodeSnippet(content, childProcessMatch, 3) : null);
             const envMatches = findAllMatches(content, envMatch, 5);
             issue.verbose = {
@@ -2246,17 +2478,25 @@ function analyzeCode(pkg, config, issues, verbose = false) {
               },
               envCodeSnippet: envSnippet?.snippet || null,
               envLineNumber: envSnippet?.lineNumber || null,
-              networkCodeSnippet: networkSnippet?.snippet || null,
-              networkLineNumber: networkSnippet?.lineNumber || null,
+              envIsMinified: envSnippet?.isMinified || false,
+              networkCodeSnippet: execSnippet?.snippet || null,
+              networkLineNumber: execSnippet?.lineNumber || null,
+              networkIsMinified: execSnippet?.isMinified || false,
               falsePositiveHints: [
-                isInstallScriptFile ? '⚠ This appears to be an install script - may legitimately download binaries' : null,
-                '⚠ This is a HIGH-RISK pattern matching known attacks',
+                hasNetwork ? '⚠ CRITICAL: matches known credential exfiltration attack patterns' : null,
+                isInstallScriptFile ? '⚠ This appears to be an install script - may legitimately use child_process' : null,
+                !hasNetwork && envUsedLocally && !envPassedToExec ? '✓ Environment variables appear to be used only for local configuration (no network detected)' : null,
+                !hasNetwork && passesFullEnv ? '✓ Passing full process.env to child_process is a common pattern (but still review - no network detected)' : null,
+                severity === 'critical' ? '⚠ This is a HIGH-RISK pattern matching known attacks' : null,
                 'Legitimate uses: reading config from env for API calls, install scripts downloading binaries',
                 'Check what env vars are accessed and where data is sent',
+                hasNetwork ? '⚠ Network access combined with env + exec = potential credential exfiltration' : null,
               ].filter(Boolean),
-              riskAssessment: isInstallScriptFile
-                ? 'MEDIUM - Install scripts often use env + network legitimately, but should be reviewed'
-                : 'CRITICAL - Matches Shai-Hulud 2.0 and similar attack patterns',
+              riskAssessment: hasNetwork || severity === 'critical'
+                ? 'CRITICAL - matches known credential exfiltration attack patterns'
+                : isInstallScriptFile
+                ? 'MEDIUM - Install scripts often use env + child_process legitimately, but should be reviewed'
+                : 'MEDIUM - Pattern can be legitimate (no network detected), review to ensure no credential exfiltration',
               attackPattern: 'Environment variable access combined with network/exec = potential credential exfiltration',
             };
           }
@@ -2362,6 +2602,7 @@ function analyzeCode(pkg, config, issues, verbose = false) {
                 },
                 codeSnippet: snippet?.snippet || null,
                 lineNumber: snippet?.lineNumber || null,
+                isMinified: snippet?.isMinified || false,
                 falsePositiveHints: [
                   isMinifiedFile ? '✓ This appears to be a minified file - obfuscation patterns are expected' : null,
                   isLikelyMinified ? '✓ This file appears to be minified - skipping' : null,
@@ -2482,6 +2723,30 @@ function truncate(str, maxLen) {
   return str.slice(0, maxLen - 3) + '...';
 }
+/**
+ * Check if a line appears to be minified code
+ * @param {string} line - Line of code to check
+ * @returns {boolean} True if line appears minified
+ */
+function isMinifiedLine(line) {
+  // Minified code typically has:
+  // - Very long lines (>500 chars)
+  // - Very few spaces (dense code)
+  // - No comments
+  // - Dense character usage
+  if (line.length < 500) return false;
+  // Check if line has very few spaces relative to its length
+  const spaceRatio = (line.match(/\s/g) || []).length / line.length;
+  // Minified code usually has < 5% whitespace
+  if (spaceRatio < 0.05) return true;
+  // Check if line has no typical formatting (no indentation, no line breaks in strings)
+  if (line.length > 1000 && !line.includes('\n') && spaceRatio < 0.1) return true;
+  return false;
+}
 /**
  * Extract code snippet with context around a match
  * @param {string} content - Full file content
@@ -2495,6 +2760,51 @@ function extractCodeSnippet(content, pattern, contextLines = 3) {
   for (let i = 0; i < lines.length; i++) {
     const match = lines[i].match(pattern);
     if (match) {
+      const isMinified = isMinifiedLine(lines[i]);
+      if (isMinified) {
+        // For minified code, show a truncated snippet around the match
+        const matchIndex = match.index;
+        const matchLength = match[0].length;
+        const line = lines[i];
+        // Extract context around the match (150 chars before, 150 after)
+        const contextBefore = 150;
+        const contextAfter = 150;
+        const start = Math.max(0, matchIndex - contextBefore);
+        const end = Math.min(line.length, matchIndex + matchLength + contextAfter);
+        const beforeText = start > 0 ? '...' : '';
+        const afterText = end < line.length ? '...' : '';
+        const snippetText = beforeText + line.slice(start, end) + afterText;
+        // Calculate the position of the match marker in the snippet
+        // The match position relative to the snippet start
+        const matchPosInSnippet = (start > 0 ? 3 : 0) + (matchIndex - start); // 3 for "..."
+        const linePrefix = `>>>     ${i + 1} | `;
+        const markerPadding = linePrefix.length + matchPosInSnippet;
+        const snippetLines = [];
+        snippetLines.push(`${linePrefix}${snippetText}`);
+        // Add marker pointing to the match (limit to reasonable length)
+        const markerChars = Math.min(matchLength, 15);
+        const markerLine = '        ' + ' '.repeat(markerPadding) +
+                          '^'.repeat(markerChars) +
+                          ` (column ${matchIndex + 1})`;
+        snippetLines.push(markerLine);
+        snippetLines.push(`        [Minified code - showing context around match only]`);
+        return {
+          lineNumber: i + 1,
+          column: matchIndex + 1,
+          matchedText: match[0],
+          snippet: snippetLines.join('\n'),
+          lineContent: line.length > 150 ? line.slice(0, 150) + '...' : line,
+          isMinified: true,
+        };
+      }
+      // Normal code - show context lines
       const startLine = Math.max(0, i - contextLines);
       const endLine = Math.min(lines.length - 1, i + contextLines);
@@ -2502,7 +2812,12 @@ function extractCodeSnippet(content, pattern, contextLines = 3) {
       for (let j = startLine; j <= endLine; j++) {
         const lineNum = String(j + 1).padStart(4, ' ');
         const marker = j === i ? '>>>' : '   ';
-        snippetLines.push(`${marker} ${lineNum} | ${lines[j]}`);
+        // Truncate very long lines even in normal code (but less aggressively)
+        let lineText = lines[j];
+        if (lineText.length > 300) {
+          lineText = lineText.slice(0, 297) + '...';
+        }
+        snippetLines.push(`${marker} ${lineNum} | ${lineText}`);
       }
       return {
@@ -2510,7 +2825,8 @@ function extractCodeSnippet(content, pattern, contextLines = 3) {
         column: match.index + 1,
         matchedText: match[0],
         snippet: snippetLines.join('\n'),
-        lineContent: lines[i],
+        lineContent: lines[i].length > 200 ? lines[i].slice(0, 200) + '...' : lines[i],
+        isMinified: false,
       };
     }
   }

package/src/collector.js CHANGED Viewed

@@ -71,17 +71,6 @@ function safeReadJSONWithDetails(filePath, options = {}) {
   }
 }
-/**
- * Safely read and parse a JSON file (simplified API)
- * @param {string} filePath - Path to JSON file
- * @returns {Object|null} Parsed JSON or null on error
- * @deprecated Use safeReadJSONWithDetails for better error handling
- */
-function safeReadJSON(filePath) {
-  const result = safeReadJSONWithDetails(filePath);
-  return result.data;
-}
 /**
  * Collect all packages from node_modules recursively
  * @param {string} nodeModulesPath - Path to node_modules
@@ -289,7 +278,6 @@ function normalizeRepository(repo) {
 module.exports = {
   collectPackages,
   readPackage,
-  safeReadJSON,
   safeReadJSONWithDetails,
   JSON_READ_ERROR,
 };

package/src/config.js CHANGED Viewed

@@ -17,7 +17,7 @@ const DEFAULT_CONFIG = {
   checkLockfile: false,        // Lockfile integrity checks (disabled by default due to false positives)
   failOn: null,
   severity: null,      // Array of severity levels to show (e.g., ['critical', 'high'])
-  format: 'text',      // Output format: 'text', 'json', 'sarif'
+  format: 'text',      // Output format: 'text', 'json', 'sarif' (sarif is experimental)
   verbose: false,      // Show detailed analysis
   // Known legitimate packages with install scripts
   // NOTE: Whitelist cleared - all packages are now checked without exceptions.
@@ -282,13 +282,13 @@ function generateExampleConfig() {
     trustedPatterns: {
       "custom-build-script": true
     },
-    scanCode: false,
+    scanCode: true,
     checkTyposquatting: false,
     checkLockfile: false,
     failOn: "high",
     severity: ["critical", "high", "medium"],
     format: "text",
-    verbose: false,
+    verbose: true,
     maxFileSizeForCodeScan: 1048576,
     maxNestedDepth: 10,
     maxFilesPerPackage: 0,

package/src/formatters.js CHANGED Viewed

@@ -8,6 +8,9 @@ const SEVERITY_ORDER = ['info', 'low', 'medium', 'high', 'critical'];
  * Get color code for severity level
  */
 function colorSeverity(severity) {
+  if (severity === null) {
+    return color('none', colors.dim);
+  }
   switch (severity) {
     case 'critical':
       return color(severity.toUpperCase(), colors.magenta + colors.bold);
@@ -43,6 +46,7 @@ function formatText(issues, summary, context) {
   ].filter(Boolean).join(' ');
   lines.push(header);
+  lines.push(color('Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules', colors.dim));
   lines.push(color('─'.repeat(60), colors.dim));
   lines.push('');
@@ -157,11 +161,26 @@ function formatText(issues, summary, context) {
         if (issue.verbose.codeSnippet) {
           lines.push(`    ${color('Code Snippet:', colors.bold)}`);
           const snippetLines = issue.verbose.codeSnippet.split('\n');
+          const isMinified = issue.verbose.isMinified;
           for (const snippetLine of snippetLines) {
             const isHighlighted = snippetLine.startsWith('>>>');
-            lines.push(`      ${isHighlighted ? color(snippetLine, colors.yellow) : color(snippetLine, colors.dim)}`);
+            const isNote = snippetLine.includes('[Minified code') ||
+                          snippetLine.includes('Note:') ||
+                          snippetLine.includes('column') ||
+                          snippetLine.includes('match at');
+            if (isNote) {
+              // Style notes differently - use cyan for informational notes
+              lines.push(`      ${color(snippetLine, colors.cyan + colors.dim)}`);
+            } else if (isHighlighted) {
+              lines.push(`      ${color(snippetLine, colors.yellow)}`);
+            } else {
+              lines.push(`      ${color(snippetLine, colors.dim)}`);
+            }
           }
-          if (issue.verbose.lineNumber) {
+          if (issue.verbose.lineNumber && !isMinified) {
             lines.push(`      ${color(`↑ Line ${issue.verbose.lineNumber}`, colors.cyan)}`);
           }
         }
@@ -170,18 +189,54 @@ function formatText(issues, summary, context) {
         if (issue.verbose.envCodeSnippet) {
           lines.push(`    ${color('Environment Access:', colors.bold)}`);
           const snippetLines = issue.verbose.envCodeSnippet.split('\n');
+          const isMinified = issue.verbose.envIsMinified || false;
           for (const snippetLine of snippetLines) {
             const isHighlighted = snippetLine.startsWith('>>>');
-            lines.push(`      ${isHighlighted ? color(snippetLine, colors.yellow) : color(snippetLine, colors.dim)}`);
+            const isNote = snippetLine.includes('[Minified code') ||
+                          snippetLine.includes('Note:') ||
+                          snippetLine.includes('column') ||
+                          snippetLine.includes('match at');
+            if (isNote) {
+              lines.push(`      ${color(snippetLine, colors.cyan + colors.dim)}`);
+            } else if (isHighlighted) {
+              lines.push(`      ${color(snippetLine, colors.yellow)}`);
+            } else {
+              lines.push(`      ${color(snippetLine, colors.dim)}`);
+            }
+          }
+          if (issue.verbose.envLineNumber && !isMinified) {
+            lines.push(`      ${color(`↑ Line ${issue.verbose.envLineNumber}`, colors.cyan)}`);
           }
         }
         if (issue.verbose.networkCodeSnippet) {
-          lines.push(`    ${color('Network Access:', colors.bold)}`);
+          // For env_with_network, this could be network OR exec capability
+          const accessType = issue.reason === 'env_with_network' ? 'Network/Exec Access' : 'Network Access';
+          lines.push(`    ${color(`${accessType}:`, colors.bold)}`);
           const snippetLines = issue.verbose.networkCodeSnippet.split('\n');
+          const isMinified = issue.verbose.networkIsMinified || false;
           for (const snippetLine of snippetLines) {
             const isHighlighted = snippetLine.startsWith('>>>');
-            lines.push(`      ${isHighlighted ? color(snippetLine, colors.yellow) : color(snippetLine, colors.dim)}`);
+            const isNote = snippetLine.includes('[Minified code') ||
+                          snippetLine.includes('Note:') ||
+                          snippetLine.includes('column') ||
+                          snippetLine.includes('match at');
+            if (isNote) {
+              lines.push(`      ${color(snippetLine, colors.cyan + colors.dim)}`);
+            } else if (isHighlighted) {
+              lines.push(`      ${color(snippetLine, colors.yellow)}`);
+            } else {
+              lines.push(`      ${color(snippetLine, colors.dim)}`);
+            }
+          }
+          if (issue.verbose.networkLineNumber && !isMinified) {
+            lines.push(`      ${color(`↑ Line ${issue.verbose.networkLineNumber}`, colors.cyan)}`);
           }
         }
@@ -247,6 +302,11 @@ function formatText(issues, summary, context) {
   lines.push(color('─'.repeat(60), colors.dim));
   lines.push(color('chain-audit by Hubert Kasperek • MIT License', colors.dim));
   lines.push(color('https://github.com/hukasx0/chain-audit', colors.dim));
+  lines.push('');
+  lines.push(color('Disclaimer: Licensed under MIT License, provided "AS IS" without warranty.', colors.dim));
+  lines.push(color('The author makes no guarantees and takes no responsibility for false', colors.dim));
+  lines.push(color('positives, false negatives, missed attacks, or any damages resulting from use.', colors.dim));
+  lines.push(color('Review all findings manually. Use at your own risk.', colors.dim));
   return lines.join('\n');
 }
@@ -341,6 +401,8 @@ function formatJson(issues, summary, context) {
 /**
  * Format issues as SARIF (Static Analysis Results Interchange Format)
  * Compatible with GitHub Code Scanning
+ *
+ * @experimental This format is experimental and may change in future versions
  */
 function formatSarif(issues, summary, context) {
   const sarif = {
@@ -441,7 +503,7 @@ function generateSarifRules() {
       id: 'install_script',
       name: 'InstallScript',
       shortDescription: { text: 'Has install lifecycle script' },
-      fullDescription: { text: 'Package has preinstall, install, postinstall, or prepare script' },
+      fullDescription: { text: 'Package has preinstall, install, or postinstall script' },
       defaultConfiguration: { level: 'warning' },
     },
     {
@@ -483,9 +545,16 @@ function generateSarifRules() {
       id: 'native_binary',
       name: 'NativeBinary',
       shortDescription: { text: 'Contains native binaries' },
-      fullDescription: { text: 'Package contains native binary files (.node, .so, .dll, .dylib)' },
+      fullDescription: { text: 'Package contains native module binary files (.node, .so, .dylib)' },
       defaultConfiguration: { level: 'note' },
     },
+    {
+      id: 'executable_files',
+      name: 'ExecutableFiles',
+      shortDescription: { text: 'Contains executable files' },
+      fullDescription: { text: 'Package contains executable files (shell scripts, etc.) that may indicate supply chain attacks' },
+      defaultConfiguration: { level: 'warning' },
+    },
     {
       id: 'potential_typosquat',
       name: 'PotentialTyposquat',
@@ -570,6 +639,9 @@ function generateSarifRules() {
  * Map our severity levels to SARIF levels
  */
 function mapSeverityToSarif(severity) {
+  if (severity === null) {
+    return 'none';
+  }
   switch (severity) {
     case 'critical':
     case 'high':

package/src/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * chain-audit - Supply chain attack scanner for node_modules
+ * chain-audit - Supply chain attack heuristic scanner for node_modules
  *
  * Detects suspicious patterns in dependencies including:
  * - Malicious install scripts
@@ -18,12 +18,12 @@ const path = require('path');
 const { parseArgs } = require('./cli');
 const { loadConfig, mergeConfig, initConfig } = require('./config');
 const { buildLockIndex } = require('./lockfile');
-const { collectPackages, safeReadJSON } = require('./collector');
+const { collectPackages, safeReadJSONWithDetails } = require('./collector');
 const { analyzePackage } = require('./analyzer');
 const { formatText, formatJson, formatSarif } = require('./formatters');
 const { color, colors } = require('./utils');
-const pkgMeta = safeReadJSON(path.join(__dirname, '..', 'package.json')) || {};
+const pkgMeta = (safeReadJSONWithDetails(path.join(__dirname, '..', 'package.json')).data) || {};
 function detectDefaultLockfile(cwd) {
   const candidates = [
@@ -42,7 +42,7 @@ function detectDefaultLockfile(cwd) {
 function summarize(issues) {
   const counts = { info: 0, low: 0, medium: 0, high: 0, critical: 0 };
-  let maxSeverity = 'info';
+  let maxSeverity = null;
   const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
   const rankSeverity = (level) => {
@@ -54,7 +54,7 @@ function summarize(issues) {
     if (counts[issue.severity] !== undefined) {
       counts[issue.severity] += 1;
     }
-    if (rankSeverity(issue.severity) > rankSeverity(maxSeverity)) {
+    if (maxSeverity === null || rankSeverity(issue.severity) > rankSeverity(maxSeverity)) {
       maxSeverity = issue.severity;
     }
   }
@@ -81,13 +81,13 @@ function run(argv = process.argv) {
       console.log(color('✓', colors.green), result.message);
       console.log('\nConfiguration options:');
       console.log(color('  ignoredPackages', colors.cyan), '  - Packages to skip during analysis (supports glob patterns)');
-      console.log(color('  ignoredRules', colors.cyan), '     - Rule IDs to ignore (e.g., "native_binary")');
+      console.log(color('  ignoredRules', colors.cyan), '     - Rule IDs to ignore (e.g., "native_binary,executable_files")');
       console.log(color('  trustedPackages', colors.cyan), '  - Known legitimate packages with install scripts');
       console.log(color('  trustedPatterns', colors.cyan), '  - Patterns that reduce severity for known use cases');
       console.log(color('  scanCode', colors.cyan), '          - Enable deep JS file scanning (slower)');
       console.log(color('  failOn', colors.cyan), '            - Exit 1 when max severity >= level');
       console.log(color('  severity', colors.cyan), '          - Filter to show only specific severity levels');
-      console.log(color('  format', colors.cyan), '            - Output format: text, json, sarif');
+      console.log(color('  format', colors.cyan), '            - Output format: text, json, sarif (experimental)');
       console.log(color('  detailed', colors.cyan), '          - Show detailed analysis (verbose is alias)');
       return { exitCode: 0 };
     } else {
@@ -185,9 +185,9 @@ function run(argv = process.argv) {
   // Determine exit code
   const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
-  const rankSeverity = (level) => severityOrder.indexOf(level);
+  const rankSeverity = (level) => level === null ? -1 : severityOrder.indexOf(level);
-  if (config.failOn && rankSeverity(summary.maxSeverity) >= rankSeverity(config.failOn)) {
+  if (config.failOn && summary.maxSeverity !== null && rankSeverity(summary.maxSeverity) >= rankSeverity(config.failOn)) {
     return { exitCode: 1, issues, summary };
   }
@@ -204,7 +204,7 @@ function matchPattern(pattern, name) {
 function printHelp() {
   const text = `
-${color('chain-audit', colors.bold)} - Supply chain attack scanner for node_modules
+${color('chain-audit', colors.bold)} - Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules
 ${color('USAGE:', colors.bold)}
   chain-audit [options]
@@ -217,7 +217,7 @@ ${color('OPTIONS:', colors.bold)}
   -c, --config <path>        Path to config file (auto-detects .chainauditrc.json,
                              .chainauditrc, chainaudit.config.json)
   --json                     Output as JSON
-  --sarif                    Output as SARIF (for GitHub Code Scanning)
+  --sarif                    Output as SARIF (for GitHub Code Scanning) [experimental]
   -s, --severity <levels>    Show only specified severity levels (comma-separated)
                              e.g., --severity critical,high or --severity low
   --fail-on <level>          Exit 1 when max severity >= level
@@ -291,21 +291,28 @@ ${color('EXAMPLES:', colors.bold)}
 ${color('CONFIGURATION:', colors.bold)}
   Create a config file in your project root:
   (.chainauditrc.json, .chainauditrc, or chainaudit.config.json)
+  Example (simplified):
   {
     "ignoredPackages": ["@types/*"],
     "ignoredRules": ["native_binary"],
     "trustedPackages": ["my-native-addon"],
-    "scanCode": false,
+    "scanCode": true,
+    "verbose": true,
     "failOn": "high",
     "verifyIntegrity": false,
-    "maxFilesPerPackage": 0
+    "maxFilesPerPackage": 0,
+    "format": "text"
   }
+  For full config with all options, use: ${color('chain-audit --init', colors.cyan)}
 ${color('DISCLAIMER:', colors.bold)}
-  This tool is provided "AS IS" without warranty. The author takes no
-  responsibility for false positives, false negatives, missed attacks, or
-  any damages resulting from use of this tool. Use at your own risk.
-  Always review findings manually and use as part of defense-in-depth.
+  Licensed under MIT License, provided "AS IS" without warranty.
+  The author makes no guarantees and takes no responsibility for false
+  positives, false negatives, missed attacks, or any damages resulting
+  from use of this tool. Use at your own risk. Always review findings
+  manually and use as part of defense-in-depth.
 ${color('MORE INFO:', colors.bold)}
   https://github.com/hukasx0/chain-audit